Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Architecture for Security on AWS

Architecture for Security on AWS

The Scale Factory

May 02, 2019
Tweet

More Decks by The Scale Factory

Other Decks in Technology

Transcript

  1. Book your review with us after this event Funding of

    up to $5,000 per workload available.
  2. 2018 STATE OF DEVOPS REPORT_ DORA "Low performers take weeks

    to conduct security reviews and complete the changes identified. In contrast, elite performers build security in and can conduct security reviews and complete changes in just days."
  3. THE SCALE FACTORY WAY_ People First Match solution to workload

    Leverage the AWS platform Automate Iterate
  4. 5 AREAS OF SECURITY_ Identity and access management Detective controls

    Infrastructure protection Data protection Incident response
  5. GOOD IAM PRACTICE_ No access to the root account Unique

    credentials per person Create least-privilege policies
  6. Root Account OU: Developers Jon's Sandbox Salma's Sandbox SSO Security

    DeveloperRole SecurityAdminRole OperatorRole OU: Services Live Staging Trust Relationship Policy DeveloperRole Security Log Bucket Service Control Policy AWS ORGANIZATIONS_
  7. { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [

    "s3:CreateBucket", "s3:DeleteObject", "s3:Put*", "s3:Get*", "s3:List*" ], "Resource": [ "arn:aws:s3:::*" ] } ] } LEAST PRIVILEGE?_
  8. YOUR IAM MIGHT NEED WORK IF YOU_ Log in with

    the root account Have >1 identity for a single person Don't use roles for compute services Don’t enforce MFA Hard-code secrets in app config (or code!) Have IAM policies with *s in (too permissive) Use a lot of AWS managed IAM policies
  9. YOUR CONTROLS MAY NEED WORK IF..._ You're not logging anything

    / enough You're not alerting on important log conditions Alerts/notifications are noisy or ignored You're only using logs when debugging
  10. AWS INSPECTOR_ Scans for network reachability Checks hosts against known

    CVEs Checks against CIS benchmarks Checks other security best practice Analyses app runtime behaviour
  11. YOUR PROTECTION MAY NEED WORK IF..._ You have anything other

    than LB or NAT in public networks Your security groups are too permissive You mainly use CIDR network ranges in your SGs You're not protecting your application with WAF You're not actively scanning for vulnerabilities You're not checking your application dependencies' security
  12. CLASSIFY DATA_ Identify different data classification levels Use tagging of

    resources Use KMS keys per classification level Control principal access to keys & resources Consider tokenisation Use AWS Macie to look for sensitive data in S3
  13. DATA AT REST_ Use service features to encrypt at rest

    Limit personnel access to data (IAM) Copy base AMIs with encryption
  14. PROTECT SECRETS_ AWS Secrets Manager Temporary RDS tokens Parameter Store

    Control principal access with IAM (Vendor solutions)
  15. DATA IN TRANSIT_ Use HTTPS listeners on load balancers Use

    HTTPS on CloudFront Use ACM for certificate management Use VPNs where necessary*
  16. DATA PROTECTION MAY NEED WORK IF..._ Too many people have

    access to too much data You haven't thought about data classification You're not encrypting at rest You're not encrypting in transit You store secrets anywhere other than in AWS services You don't have complete backups You haven't tried restoring your backups recently
  17. RUNBOOK/ PLAYBOOK_ Document incident response for your team Ensure team

    members are on call Run regular incident drills
  18. INCIDENT RESPONSE MAY NEED WORK IF..._ You can't remediate common

    incidents automatically You can't quarantine bad nodes for later forensics You don't have engineers on-call for security incidents Engineers don't know how to respond to on-call alerts You don't regularly practice incident response